Description

Help text in models is not escaped in admin.
<code>
class Post(models.Model) :

title = models.CharField(maxlength=1000,null=True,blank=True,

help_text='<obvious>This is the title</obvious>')

</code>
The admin interface will not show it (and using non-closed <blink> could be fun)
I guess this is a bug or it should be documented in models that help_text must be html.
I would propose no html in models.py, (so escaping help_text and no formatting in help text).
Maybe ReST would be the best of both worlds.

Although the documentation from [5816] does say help_text isn't escaped, it could be more clear that this means user-derived content shouldn't be exposed through help_text. Putting user content in help_text is an edge case, but it's a conceivable edge case (e.g., user-submitted translations), and we're departing from Django's usual "security by default" policy here, so it's worth being explicit.

Longer term, in the interests of consistency and "security by default", it might also be worth reversing this decision; we have mark_safe(), so if someone needs markup in help_text. However, there's obviously backwards compatibility concerns in doing this, so we'd need a plan for making this change.

As far as translations are concerned, see #18208. We chose to consider translations as a safe source. It's the developper's duty to check that no suspicious code is inserted by mean of translations. So I think we should exclude that use case from the current issue, unless someone wants to reconsider #18208.

@claudep - In this case, I'm referring to a slightly different case for translations. Translations from po files are relatively safe because they need to be committed to the repository before use. I was referring to the possible case of someone storing translations in the database as runtime data, and using those as help_text. It's an edge case on the edge of an edge case, but it's possible.